Slide 1
Slide 1 text
/ Yoshinori Matsumoto
@ym405nm
Slide 2
Slide 2 text
, ,
lc t C JB KA
SO rm ids P e
1, 2 a N phoc
Wnk
1
6 05 2 6 , 20 ,
Slide 3
Slide 3 text
&#\-A ]
(5 (2018/10/8 !)
@8C89
RNWK0No Security No Life1A<6C89
,89GWordPress
'HA0,+1J
[email protected]
→ 5*DI=7)@*4A?3 WordPress A
@39[
Slide 4
Slide 4 text
OWASP
Slide 5
Slide 5 text
OWASP(,
• OWASP
(Open Web Application Security Project)
– Web@;HLA:84 8#5$.
+)GL?B-$IO=+
JN*24*'5
"
6$8
Slide 6
Slide 6 text
OWASP
• OWASP Foundation
– 2001
–
NPO
– 200 Chapter
Slide 7
Slide 7 text
Japan : OWASP Local Chapters
Slide 8
Slide 8 text
WORDPRESS
Slide 9
Slide 9 text
WordPress"%
$"%&!
WordPress
$"%&!
Slide 10
Slide 10 text
WordPress
WordPress
OWASP TOP 10
WordPress
OWASP WordPress Security
Implementa:on Guideline
Slide 11
Slide 11 text
OWASP TOP 10
Web8AD;?
:BD@9
+*,3$7( 6
,3$7( 6
OWASP JAPAN
https://www.owasp.org/index.php/Japan
Slide 12
Slide 12 text
WordPress 209:3/
WordPress.org -,209:3/
.&!(5098;4%
#209:3/*WordPress%
17963/%209:3/$%+
'#")-,
OWASP TOP 10 (2013
) % WordPress
%-,
+
WordPress 209:3/
h6ps://ja.wordpress.org/security/
Slide 13
Slide 13 text
OWASP WordPress Security Implementation Guideline
OWASP $"' WordPress
(#,+-'
+-&)-%!
WordPress
$.*DB
!
OWASP WordPress Security Implementation Guideline
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
Slide 14
Slide 14 text
WordPress'",-(
• WordPress.$!/
•
• WordPress
-
1*",+/)2
*",+/)
WordPress %!)0
Slide 15
Slide 15 text
WordPress
XML RPC
wp-login.php
TOP10 : A2(
)
WP :
Slide 16
Slide 16 text
P=6R,A;KMD5
:B:B
EI8NF
wp-login.php,4-*!!$3"+%0 (1
IP4GO@% $V
A;KMD5.,””TU3# )&1$V
.,-*2'0
)&1$V
Slide 17
Slide 17 text
JETPACK
Slide 18
Slide 18 text
A /@
$3 3,@&
'7/@
.2)6)UYID\9#/@_39 `
•
• N]W
• UYID\
WordPress8LGXZNCBMUO]PA3!/@
OTF[P3%>1:58-4+)"?);.=*^
TOP10 : A9(88(@
J\V]R\P8)
WP :LGXZNCZZ]K80<8
SMHIYE\Q
Slide 19
Slide 19 text
WordPress
!
SQL$:+&'*6:
XSS='9,;)$1;,'73/#:(>
0<-4<,
0<-4<,
JavaScript
)$1)$1
58%&".%:9<2
TOP10 : A1($:+&'*6:)
A7('9,)$1,'73/#:()
Slide 20
Slide 20 text
WordPress
+,+
The WordPress Codex Is Your Friend…
$wpdb->prepare ;@B46B, 21>&
wp_kses
esc_html / esc_attr
%*+JavaScript&
How to Prevent File Upload Vulnerabilities
https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/
current_user_can('upload_files')
&=B3,)!
#'.8;AB9,)!$
wp_check_filetype
:-/?5/;,7082+
MINE5/;,("7082+ +
Slide 21
Slide 21 text
Slide 22
Slide 22 text
OWASP ZAP
• OWASP),.14>?;>
• ?D58*
)
%$.&
16:9) $. -+$
Slide 23
Slide 23 text
WPScan
• WordPress3+- C>MSETQ
• KO@=S$FTL$4ITBNS;#+.$"
,:
21(#/):
• WordPress4!216#/):
• 4JCRTHPCG'84
-96/):
&21
WPSCan37:WordPress
h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4
C>MS
*4ETQ;4A=G3/,:0
Slide 24
Slide 24 text
WPScan9E/C3:
• ID*UN\_S>%
→ %VGI[0'"
• WordPress>*WZKI]^Q_X>T_MY]
→
)F-2C! <;
• "T_MY]9? readme.html /AT_MY]0.8,C
3>P_[F>LIR=95C:
HJON=
#5C 0+B@5
3D72$916A
,,>9?`
Slide 25
Slide 25 text
Slide 26
Slide 26 text
Slide 27
Slide 27 text
$ %
• WordPress!%0+215/
OWASP TOP10
WordPress-+23.)
OWASP WordPress Security Implementation Guideline
•
WordPress"4,*5(&
(&
WordPress"
(
-+23.)'#6(&
#twpm1019